Mobile devices typically authenticate to cloud services using passwords. For example, as shown in FIG. 1, a mobile device 100 may prompt a user for a password in order access a cloud service 102. This operation is also shown in FIG. 2, where an application is started on the mobile device, and then a user enters a password to access the cloud service.
As an example, a user may open a web browser on a smartphone (or any other app on the mobile device) and then navigate to a merchant's website (cloud service). The merchant web site then prompts for the user's password prior to allowing the user access to the user's account at the merchant. The user's account at the merchant may store sensitive information such as credit card numbers, addresses, phone numbers, and the like.
Password-based cloud service authentication is vulnerable to hacking. If a hacker gains access to a password file (storing hashed passwords) from the merchant, then the universe of hashed password values can be compared to entries in the password file to gain access to individual user accounts. Sensitive user information may be compromised as a result.